Recently, the ipng.org.uk tunnel broker went down, and, looking for alternatives, most of the MirOS team and our friends has decided to go and use the SixXS tunnel broker.
Setting up a handle
Most people who are experimenting with IPv6 just need a 6BONE handle, but the MirOS developers have gotten RIPE (European) handles because they are using IPv6 productively. Asian users should go to APNIC, American users to ARIN, latino-americanos to LACNIC instead.
The set-up procedure is pretty much the same for all these NICs, with 6BONE using the RIPE format for entries, but not requiring a MNTNER.
If you are going to register a RIPE handle, you must let a person maintain it - that is, if you ever need to change it, the maintainer person has to PGP sign the change request, so nobody can play around with your handle. Maintainers are people with knowledge and work in the NOC area, so not everybody can (or should, for that matter), be their own MNTNER. Jeroen Massar of SixXS points out nicely that you should just "ask your friendly LIR" (local internet registry); if you don't know one, ask a server hoster or ISP nearby. Both MirOS developers are admins enough to be RIPE NCC MNTNERs.
In order to get a handle, first retrieve the form to fill out using
$ whois -h whois.ripe.net -- -t\ person
(for a person object,
which is what you are going to create)
Then email the filled out person object, including the MNT-BY attribute, to your friendly maintainer, or, if you are not going to have it maintained from the very beginning, to the RIPE NCC or 6BONE database backend.
What if you're stuck or want to know more?
Registering with SixXS
Registering is a fairly simple process. Just go to the SixXS website and enter your whois handle, password and a good reason why you want an IPv6 tunnel and can't get a native upstream.
Getting your tunnel
Log in at SixXS $HOME and ask for a heartbeat tunnel if you're on dial-up, or for a standard tunnel if you're on a dedicated line. A week later, you've got enough credits to get your own subnet.
Setting up the heartbeat client
Well... since you're already using the MirOS, you should know how
to use MirPorts to install the net/sixxs-heartbeat client.
As for the configuration file; it's got a good sample.
Note: we might write our own heartbeat dæmon once the protocol is finished.
Some configuration work
ps ax|grep sixxs|grep -v grep|while read pid rest; do kill $pid done ifconfig gif0 up nice -n -1 /usr/local/sbin/sixxs-heartbeatd /etc/ppp/heartbeat.conf route add -inet6 default fe80::%gif0 -mtu 1280
These lines are needed to initialize an unnumbered tunnel, in contrast to a numbered tunnel you need if you don't yet have a subnet. Please note that the SixXS staff does not want me to advertise the usage of unnumbered tunnels, or to use it at all.
Numbered tunnels without subnet
Simply configure an IP address to the gif0 interface before setting the route to it. This looks as follows:
ps ax|grep sixxs|grep -v grep|while read pid rest; do kill $pid done ifconfig gif0 up nice -n -1 /usr/local/sbin/sixxs-heartbeatd /etc/ppp/heartbeat.conf ifconfig gif0 inet6 2001:6f8:900:XXXX::2 \ 2001:6f8:900:XXXX::1 prefixlen 128 alias route add -inet6 default 2001:6f8:900:XXXX::1 -mtu 1280
Numbered tunnels with subnet
SixXS wants you to do this. As for the tunnel configuration, see above - for the subnet configuration, see below. You must not add the pf.conf(5) entry below.
Unnumbered tunnels with subnet
You will need a line like the following in your pf.conf(5) unless you're fine with SixXS thinking you've got 100% packet loss (and eventually shutting down your tunnel):
rdr on gif0 inet6 from any to 2001:6f8:900:XXXX::2 -> 2001:6f8:YYYY:1::1
The first of these addresses is your assigned tunnel
space, whereas the second address is the one the router got assigned
on one of the local networks. (The interface must be always up and
Please note that you should not use the very first subnet, i.e. 2001:6f8:YYYY:0::/64, nor the last (replace 0 by FFFF), on IPv6 - you've got 65534 other subnets for physical lines to use.
You will also need to set up your router for each of the physical interfaces on which a subnet is delegated to:
# /etc/hostname.fxp0 inet 192.168.0.1 0xFFFFFF00 192.168.0.255 inet6 2001:6f8:YYYY:1::1 64 inet6 2001:6f8:YYYY:1:: 64 anycast
This is just an example - it could look differently. As per RFC, a subnet router must listen on the anycast address which has the network address it routes on, and the host part set all zero, which is the last line in the above example.
# /etc/rtadvd.conf fxp0:\ :mtu#1280:addr="2001:6f8:YYYY:1::":prefixlen#64:
I'm still waiting for SixXS to reply to me, telling what their
maximum supported MTU is - until then, I'm using the minimum supported,
which would be 1280 (IPv6 does not work on lower MTUs).
You have to start rtadvd(8) via /etc/rc.conf.local and enable the IPv6 routing in /etc/sysctl.conf - but then, you're a professional MirOS admin, aren't you?
At the very least, you must pass "inet proto 41" on the outgoing interface (basically tun0 or ppp0) and inet6 traffic, including icmp6 (for SixXS' ping requests), on the gif0 interface. If something does not work, there are two dings to do at once:
- Sync the clock: rdate -ncv[a] ptbtime2.ptb.de
- Shut off the firewall: pfctl -d
djbdns is IPv6 capable, you need the no_ipv4 flavour installed parallely to the default one if you need IPv6 transport support (as opposed to IPv6 RR support, i.e. IN AAAA). Our resolver seems to not be IPv6-transport capable, or at least I haven't got an entry like nameserver ::1 in resolv.conf(5) to work. Bind9 looks like it could support IPv6, too.
Lynx and Apache are both IPv6 capable, so just adding
to /etc/hosts and typing $ lynx localhost6 should work if you started Apache. You can, after enabling the tunnel, test from outside and to outside (herc.v6.mirbsd.org for example), too. The SixXS site also displays which transport you are using.
We still can't support IPv4-mapped addresses (that is, listening to [::] (the IN6ADDR_ANY) does not get the dæmon IPv4 connections. Jun-ichiro itojun Hagino of OpenBSD thinks this is a great idea, but we do not - so if someone is skilled enough to patch that behaviour back into the MirOS BSD kernel, you're welcome.
IRC via IPv6 is cool. Just don't spam with your reverse DNS.